Good cybersecurity is repetitive and boring

The loss of 4 million records reminds agencies that good Cybersecurity is repetitive and boring

The US Government announced on 4 June that the private information of at least four million current and former government workers had been compromised.

The intrusion occurred in systems owned by the US Office of Personnel Management (OPM) which handles government security clearances. It was detected in April 2015, but in line with most other such intrusions, may have started in 2014.

The attack drew calls by politicians for legislation to strengthen the USA’s cyberdefences. The US blamed China for the breaches, though it is unclear how good their attribution information is.

The Boring but tremendously important bits

Reports from the New York Times indicated that OPM did not possess an inventory of all the computer servers and devices with access to its networks, and did not require anyone gaining access to information from the outside multifactor authentication. OPM also did not regularly scan for vulnerabilities in the system, and found that one third of computer systems that were supposed to be certified as safe for use last year were not “operating with a valid authorization.”

Let’s be clear here, the answer for Cybersecurity in organisations is good housekeeping!

  • Assess the business impact levels for your systems
  • Patch
  • Authenticate
  • Minimise privileges
  • Scan your logs
  • REPEAT

There are more things like application whitelisting, but get those right and your organisation can do better than the US Government. The Australian Signals Directorate has published a number of guides for government agencies to help them mitigate all but the most targeted intrusions. They are worth checking out.  http://www.asd.gov.au/publications/protect/top_4_mitigations.htm

This Koala is completely secure from cyber attack
This Koala is completely secure from cyber attack

The answer is not more power for intelligence and law enforcement

Let’s keep it simple

  • Assess the business impact levels for your systems
  • Patch
  • Authenticate
  • Minimise privileges
  • Scan your logs
  • REPEAT

If you have to call the guys/girls in dark suits from government agencies, you’ve lost the fight. Just like in the real world, if you have to call the cops, something’s really wrong with your security.

Attribution is so so hard in the cyber, you have to be very lucky and have deep pockets to go after the crims.

Better to build your fence higher than those around you, but encourage your partners to build their fences higher too, because security is only as good as the weakest link.

Where might government focus its resources?

Rather than spending money on dealing with hacked systems after they happen. Government would be far better off providing good advice, encouraging education of cyber professionals and encouraging software and hardware developers to manufacture secure code and systems.

Mandatory Disclosure

Some commentators are complaining about how long it took the US to disclose the breach. At least the US has fessed up. In Australia, where there are no mandatory disclosure rules, it seems unlikely that a government agency would admit to this, despite the obvious importance of this to the victims who lost their personal data.

I repeat my call for mandatory data breach notification for all public and private organisations in all OECD countries.

Data centralisation

Many Australian state and territory governments have created shared services functions for their ICT and human resources functions. The issue is that if the wrong people get access as they did in the US OPM, then they potentially have access to everything.

Much has been made of the potential savings available to governments from centralising their data functions. Whilst this may be the case in the short term, like outsourcing, the return on investment over the long term is very much unproven. Shared services ICT functions aggregate data and create honeypots for organised criminals and national espionage groups. It is true that with shared services, ICT functions are able to afford more staff, the question is whether this advantage truly outweighs the dependencies on data that are created and the increased attractiveness of the target.

It is a question as to whether decreasing the value of a system by decreasing its attractiveness ie by decentralising, can be used to affect business impact levels. However it certainly makes intuitive sense, in that you should be able to maintain the relative risk of a system by splitting it into multiple separate systems whilst giving the organisation its operating requirements in terms of integrity of system and availability – see everybody’s happy!

When I was running Protective Security Policy, my team and I tried to address this with policies about aggregation of data and Business Impact Levels. Business impact levels are an excellent way of approaching agency cybersecurity on a holistic and strategic basis. The reason is that they take into account not only the confidentiality of information, but also its availability and accessibility. This allows the whole organisation to have a discussion about what they are willing to live with.

Human Resources information like that compromised in the OPM hack becomes useless if the right people can’t access it easily and keep it up to date. In the case of OPM, the organisation faces a significant problem in trying to do its job in managing clearances, which requires the information to have good availability against the traditional security argument, to lock things down.

Organisations need to fulfil their function, the confidentiality of information is always secondary to the primary mission in the minds of the executive.

Agency security advisers often find that they lose arguments on the basis of $$$, particularly in these times of shrinking government budget.

The way to make the argument is to do so on the basis not of security, but finance.

Accountants understand risk, they just talk about it differently. Any CISO worth their salt needs to talk in terms of value, efficiency and reputation for the organisation they represent. Otherwise, they might as well be talking Cantonese to a Mandarin speaker.

Here’s a collection of links, which might be useful

http://www.npr.org/2015/06/05/412177006/opm-hack-exposes-records-of-4-million-federal-employees

http://www.politico.com

http://www.engadget.com/2015/06/06/opm-hack-details-revealed/

https://threatpost.com/opm-hack-may-have-exposed-security-clearance-data/113184

http://www.govexec.com/technology/2015/06/massive-data-breach-puts-spotlight-shared-it-services/114613/?oref=ng-channelriver

http://www.theguardian.com/technology/2015/jun/05/us-government-opm-hack-data-collection-powers

http://www.washingtonpost.com/world/national-security/chinese-hackers-breach-federal-governments-personnel-office/2015/06/04/889c0e52-0af7-11e5-95fd-d580f1c5d44e_story.html

Help

We can help your agency set up its cybersecurity defence policies and procedures.

Contact us at [email protected] to talk to a cybersecurity policy expert.